Who can save us? It's 2018 and some email is still sent as cleartext

Out of the phone booth comes the IETF in lycra - with the power of STANDARDS!

The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections.

In RFC 8314, Windrock's Keith Moore and Oracle's Chris Newman explain that there some interactions between email clients and servers still aren't encrypted.

Implementations of protocols like IMAP, POP, and SMTP have supported TLS for years, but often not “in a way that maximises end-user confidentiality”, an RFC penned by the pair said.

For example, there's the enduring but imperfect STARTTLS: it eventually sets up an encrypted channel for passing messages, but only after it uses cleartext communications so the client and server can negotiate capabilities and configuration.

The RFC recommends this be deprecated. Instead, TLS should be negotiated immediately when a connection is initiated, on a separate port, for all protocols between the client and the message transfer agent (MTA). This is referred to as “implicit TLS” in the RFC.

That would apply to IMAP over port 993, POP (port 995), and SMTP Submission (port 465).

Those writing client software (Outlook, Mac Mail, Thunderbird and so on) need to deprecate other connection methods, the RFC says.

Likewise, mail service providers are told to wind up old insecure protocols: “MUAs and Mail Service Providers (MSPs) (a) discourage the use of cleartext protocols for mail access and mail submission and (b) deprecate the use of cleartext protocols for these purposes as soon as practicable”, the RFC says.

“Servers provided by MSPs other than POP, IMAP, and/or Message Submission SHOULD support TLS access and MUST support TLS access for those servers that support authentication via username and password”, it continues.

Port 25 remains in use in too many places, and the authors want that to end: MSPs should transition users at least to STARTTLS (or better, Implicit TLS) as soon as possible.

And, of course, systems and services need to deprecate old encryption and implement at least TLS 1.1 or later. ®